Neo
b25308c3f4
## P1 数据库基础 - zqyy_app: 创建 auth/biz schema、FDW 连接 etl_feiqiu - etl_feiqiu: 创建 app schema RLS 视图、商品库存预警表 - 清理 assistant_abolish 残留数据 ## P2 ETL/DWS 扩展 - 新增 DWS 助教订单贡献度表 (dws.assistant_order_contribution) - 新增 assistant_order_contribution_task 任务及 RLS 视图 - member_consumption 增加充值字段、assistant_daily 增加处罚字段 - 更新 ODS/DWD/DWS 任务文档及业务规则文档 - 更新 consistency_checker、flow_runner、task_registry 等核心模块 ## P3 小程序鉴权系统 - 新增 xcx_auth 路由/schema(微信登录 + JWT) - 新增 wechat/role/matching/application 服务层 - zqyy_app 鉴权表迁移 + 角色权限种子数据 - auth/dependencies.py 支持小程序 JWT 鉴权 ## 文档与审计 - 新增 DOCUMENTATION-MAP 文档导航 - 新增 7 份 BD_Manual 数据库变更文档 - 更新 DDL 基线快照(etl_feiqiu 6 schema + zqyy_app auth) - 新增全栈集成审计记录、部署检查清单更新 - 新增 BACKLOG 路线图、FDW→Core 迁移计划 ## Kiro 工程化 - 新增 5 个 Spec(P1/P2/P3/全栈集成/核心业务) - 新增审计自动化脚本(agent_on_stop/build_audit_context/compliance_prescan) - 新增 6 个 Hook(合规检查/会话日志/提交审计等) - 新增 doc-map steering 文件 ## 运维与测试 - 新增 ops 脚本:迁移验证/API 健康检查/ETL 监控/集成报告 - 新增属性测试:test_dws_contribution / test_auth_system - 清理过期 export 报告文件 - 更新 .gitignore 排除规则
149 lines
4.3 KiB
Python
149 lines
4.3 KiB
Python
"""
|
||
JWT 令牌生成、验证与解码。
|
||
|
||
- access_token:短期有效(默认 30 分钟),用于 API 请求认证
|
||
- refresh_token:长期有效(默认 7 天),用于刷新 access_token
|
||
- payload 包含 user_id、site_id、令牌类型(access / refresh)
|
||
- 密码哈希直接使用 bcrypt 库(passlib 与 bcrypt>=4.1 存在兼容性问题)
|
||
"""
|
||
|
||
from datetime import datetime, timedelta, timezone
|
||
|
||
import bcrypt
|
||
from jose import JWTError, jwt
|
||
|
||
from app import config
|
||
|
||
|
||
def verify_password(plain_password: str, hashed_password: str) -> bool:
|
||
"""校验明文密码与哈希是否匹配。"""
|
||
return bcrypt.checkpw(
|
||
plain_password.encode("utf-8"), hashed_password.encode("utf-8")
|
||
)
|
||
|
||
|
||
def hash_password(password: str) -> str:
|
||
"""生成密码的 bcrypt 哈希。"""
|
||
return bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()).decode("utf-8")
|
||
|
||
|
||
def create_access_token(
|
||
user_id: int, site_id: int, roles: list[str] | None = None
|
||
) -> str:
|
||
"""
|
||
生成 access_token。
|
||
|
||
payload: sub=user_id, site_id, roles, type=access, exp
|
||
roles 参数默认 None,保持向后兼容。
|
||
"""
|
||
expire = datetime.now(timezone.utc) + timedelta(
|
||
minutes=config.JWT_ACCESS_TOKEN_EXPIRE_MINUTES
|
||
)
|
||
payload = {
|
||
"sub": str(user_id),
|
||
"site_id": site_id,
|
||
"type": "access",
|
||
"exp": expire,
|
||
}
|
||
if roles is not None:
|
||
payload["roles"] = roles
|
||
return jwt.encode(payload, config.JWT_SECRET_KEY, algorithm=config.JWT_ALGORITHM)
|
||
|
||
|
||
def create_refresh_token(user_id: int, site_id: int) -> str:
|
||
"""
|
||
生成 refresh_token。
|
||
|
||
payload: sub=user_id, site_id, type=refresh, exp
|
||
"""
|
||
expire = datetime.now(timezone.utc) + timedelta(
|
||
days=config.JWT_REFRESH_TOKEN_EXPIRE_DAYS
|
||
)
|
||
payload = {
|
||
"sub": str(user_id),
|
||
"site_id": site_id,
|
||
"type": "refresh",
|
||
"exp": expire,
|
||
}
|
||
return jwt.encode(payload, config.JWT_SECRET_KEY, algorithm=config.JWT_ALGORITHM)
|
||
|
||
|
||
def create_token_pair(user_id: int, site_id: int, roles: list[str] | None = None) -> dict[str, str]:
|
||
"""生成 access_token + refresh_token 令牌对。"""
|
||
return {
|
||
"access_token": create_access_token(user_id, site_id, roles=roles),
|
||
"refresh_token": create_refresh_token(user_id, site_id),
|
||
"token_type": "bearer",
|
||
}
|
||
|
||
|
||
def create_limited_token_pair(user_id: int) -> dict[str, str]:
|
||
"""
|
||
为 pending 用户签发受限令牌。
|
||
|
||
payload 不含 site_id 和 roles,仅包含 user_id + type + limited=True。
|
||
受限令牌仅允许访问申请提交和状态查询端点。
|
||
"""
|
||
now = datetime.now(timezone.utc)
|
||
access_payload = {
|
||
"sub": str(user_id),
|
||
"type": "access",
|
||
"limited": True,
|
||
"exp": now + timedelta(minutes=config.JWT_ACCESS_TOKEN_EXPIRE_MINUTES),
|
||
}
|
||
refresh_payload = {
|
||
"sub": str(user_id),
|
||
"type": "refresh",
|
||
"limited": True,
|
||
"exp": now + timedelta(days=config.JWT_REFRESH_TOKEN_EXPIRE_DAYS),
|
||
}
|
||
return {
|
||
"access_token": jwt.encode(
|
||
access_payload, config.JWT_SECRET_KEY, algorithm=config.JWT_ALGORITHM
|
||
),
|
||
"refresh_token": jwt.encode(
|
||
refresh_payload, config.JWT_SECRET_KEY, algorithm=config.JWT_ALGORITHM
|
||
),
|
||
"token_type": "bearer",
|
||
}
|
||
|
||
|
||
def decode_token(token: str) -> dict:
|
||
"""
|
||
解码并验证 JWT 令牌。
|
||
|
||
返回 payload dict,包含 sub、site_id、type、exp。
|
||
令牌无效或过期时抛出 JWTError。
|
||
"""
|
||
try:
|
||
payload = jwt.decode(
|
||
token, config.JWT_SECRET_KEY, algorithms=[config.JWT_ALGORITHM]
|
||
)
|
||
return payload
|
||
except JWTError:
|
||
raise
|
||
|
||
|
||
def decode_access_token(token: str) -> dict:
|
||
"""
|
||
解码 access_token 并验证类型。
|
||
|
||
令牌类型不是 access 时抛出 JWTError。
|
||
"""
|
||
payload = decode_token(token)
|
||
if payload.get("type") != "access":
|
||
raise JWTError("令牌类型不是 access")
|
||
return payload
|
||
|
||
|
||
def decode_refresh_token(token: str) -> dict:
|
||
"""
|
||
解码 refresh_token 并验证类型。
|
||
|
||
令牌类型不是 refresh 时抛出 JWTError。
|
||
"""
|
||
payload = decode_token(token)
|
||
if payload.get("type") != "refresh":
|
||
raise JWTError("令牌类型不是 refresh")
|
||
return payload
|